Google RCS Text Messaging Is Full Of Telco Security Flaws And Customers Are Suffering

Google RCS
Google began rolling out its new SMS text messaging protocol earlier with month, with features powered RCS by (Rich Communication Services). This is intended to deliver a richer messaging experience. And it does, though the rollout is not going without a hitch. Unfortunately, telecoms are doing a poor job implementing the RCS standard, leaving Android users vulnerable to security threats.

To be clear, this is not a failure on Google's part. Security Research Labs (SRLabs) has only found issues in how telecoms are rolling RCS out, rather than the protocol itself. Part of the problem is that part of the standard is undefined. Companies can therefore deploy it in their own ways, and that is where the issues can creep into the mix.

"Everybody seems to get it wrong right now, but in different ways," Karsten Nohl from SRLabs told Motherboard.

RCS is a replacement for SMS. It basically runs like an app on smartphones and logs users into a service with a username and password, Nohl explains. According to SRLabs, at least 100 telecoms have adopted RCS, including all four major wireless carriers in the US (AT&T, Sprint, T-Mobile, and Verizon).

There is a range of ways improperly implemented RCS messaging can adversely affect users. Depending on the vulnerability, RCS can expose a user's IP address and verify if the person is online, spoof calls and messages, inject traffic and hijack messaging sessions, send file attachments and force an auto-preview, and so forth.

"Depending on the network configuration, attackers can locally and remotely intercept OTP codes sent via SMS, in attempt to authorize fraudulent bank transactions or take over email accounts. This attack revamps the results obtained by hacking the SS7 network, but at a much lower cost," SRLabs says.

What this essentially boils down to is resurrecting the same mistakes that were made in the 1990s. What's frightening here is how many people are potentially affected—it's "upwards of a billion people," according to Nohl.

"We are aware of the research by SRLabs. We take security very seriously and we have a number of measures in place to protect RCS services. We will review these protections in light of the research and, if required, take any further protective measures," Vodafone said in a statement.

T-Mobile and Verizon have not issued a statement on the matter, while AT&T and Sprint are directing inquiries to the GSM Association (GSMA).

SRLabs plans to provide more details on its findings at BlackHat Europe 2019.